Trend Micro Vision One V2
App Vendor: Trend Micro
Connector Category: Data Enrichment and Threat Intelligence | Endpoint | Network Security | Vulnerability Management
Connector Version: 1.3.0
API Version: 2.0.0
About App
Trend Micro Vision One V2 app allows security teams to integrate with Trend Micro Vision One enterprise app to work with and manage alerts, endpoints, and observables across the extended detection and response lifecycle.
Trend Micro Vision One V2 app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Alert Notes | This action adds notes to an alert. |
Add Objects | This action adds domains, file SHA-1 values, IP addresses, or URLs to the suspicious object list. |
Add Objects to Exception List | This action adds domains, file SHA-1 values, IP addresses, or URLs to the exception list and prevents these objects from being added to the suspicious object list. |
Add to Block List | This action blocks the objects on the Trend Micro application. |
Collect File | This action compresses a file on an endpoint in a password-protected archive and then sends the archive to the XDR service platform. |
Delete objects | This action deletes domains, file SHA-1 values, IP addresses, or URLs to the suspicious object list. |
Delete Objects from Exception List | This action is used to delete domains, file SHA-1 values, IP addresses, or URLs from the exception list. |
Get Alert Details | This action retrieves the details of an alert. |
Get Alert Notes | This action retrieves the notes of an alert. |
Get Detailed History Alert | This action retrieves detailed information about alerts. |
Get Download Information for Collected File | This action retrieves a URL and other information required to download a collected file. |
Get File Analysis Report | This action retrieves the analysis report, investigation package, or suspicious object list of a submitted file. |
Get File Analysis Status | This action retrieves the status of a submitted file. |
Get Observed Attack Techniques | This action retrieves the observed attack techniques. |
Get Response Task Details | This action retrieves information about a specific response task. |
Isolate Endpoint | This action isolates an endpoint on the Trend Micro application. |
List Alerts | This action lists the alerts. |
Query Agent Information | This action retrieves the information of agents (computer IDs and user accounts). |
Query Information for Single Endpoint | This action retrieves information from an endpoint that matches the specified computer ID. |
Remove from Block List | This action removes a file SHA-1, IP address, domain, or URL object that was added to the user-defined suspicious objects list. |
Restore Endpoint | This action restores network connectivity to an endpoint. |
Search Data | This action searches data on the Trend Micro application. |
Submit File to Sandbox | This action submits a file to the sandbox for analysis. |
Terminate Process | This action terminates a process that is running on an endpoint. |
Update Alert Status | This action updates an alert status. |
Delete Alert Notes | This action deletes a note from the specified alert. |
List Response Task | This action retrieves a list of response tasks. |
Get Details for Multiple Endpoints | This action retrieves information on endpoints that match the specified computer IDs. |
Query Operating System Info | This action retrieves operating system information for all agents active in the last seven days. |
Get Exception List | This action retrieves information about domains, file SHA-1 values, IP addresses, or URLs that are in the exception list and displays the information in a paginated list. |
Download Custom Intelligence Report | This action downloads a custom intelligence report as a STIX bundle. |
Trigger Sweeping Task | This action performs a search of your environment or third-party data sources that support STIX-shifter for threat indicators specified in a custom intelligence report. |
Download Sweeping Task | This action downloads the results of a sweeping task, including matched indicators and associated entities. |
Get Suspicious Object | This action retrieves information about domains, file SHA-1 values, IP addresses, or URLs that are in the suspicious object list. |
Generic Action | This is a generic action to perform any additional use case that you want on Trend Micro Vision One V2. |
Configuration Parameters
The following configuration parameters are required for the Trend Micro Vision One V2 app to communicate with the Trend Micro Vision One enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter a region-specific base URL to connect to the Trend Micro Vision One V2 app. Example: "https://api.xdr.trendmicro.com" | Text | Required | |
API Token | Enter the API token to authenticate to Trend Micro Vision One V2. | Password | Required |
Action: Add Alert Notes
This action adds notes to an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Workbench ID | Enter an alert workbench ID. Example: "WB-9233-20210716-00000" | Text | Required | You can retrieve a Workbench ID using Action: List Alert. |
Note | Enter a note to add to the alert. Example: "Sample alert note" | Text | Required |
Action: Add objects
This action adds domains, file SHA-1 values, IP addresses, or URLs to the suspicious object list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data | Enter the suspicious objects that you need to add to the suspicious object list. Example: $JSON[{'description': 'your_description (string)','expiredday': 'your_expiredday (integer)','risklevel': 'your_risklevel (string)','scanaction': 'your_scanaction (string)','type': 'your_type (string)','value': 'your_value (string)'}] | Any | Required |
Action: Add Objects to Exception List
This action adds domains, file SHA-1 values, IP addresses, or URLs to the exception list and prevents these objects from being added to the suspicious object list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data | Enter an object that you need to add to the exception list. Example: $JSON[{'type': 'domain','value': '1.alisiosanguera.com.cn','description': 'example object added as to the exception list.'}] | Any | Required |
Action: Add to Block List
This action blocks the objects on Trend Micro.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Value Type | Enter the block item value type. Example: "file_sha1" | Text | Required | Allowed values:
|
Target Value | Enter the target value for the specified Value Type. Example: "2de5c1125d5f991842727ed8ea8b5fda0ffa249b" | Text | Required | |
Product ID | Enter the target product. Example:
| Text | Optional | |
Description | Enter the action description. | Text | Optional |
Action: Collect File
This action compresses a file on an endpoint in a password-protected archive and then sends the archive to the XDR service platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Computer ID | Enter a computer ID. Example: "cb9c8412-1f64-4fa0-a36b-76bf41a07ede" | Text | Required | You can retrieve a Computer ID using Action: Query Agent Information. |
File Path | Enter a filepath. | Text | Required | |
Product ID | Enter a target product. Example:
| Text | Required | |
OS | Enter an operating system. Example:
| Text | Required | |
Description | Enter a description. | Text | Optional |
Action: Delete objects
This action deletes domains, file SHA-1 values, IP addresses, or URLs to the suspicious object list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Objects | Enter the suspicious objects to be deleted from the suspicious object list. Example: $JSON[{'type': 'your_type (string)', 'value': 'your_value (string)'}] | Any | Required |
Action: Delete Objects from Exception List
This action deletes domains, file SHA-1 values, IP addresses, or URLs from the exception list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Objects | Enter the objects that you need to delete from the exception list. Example: $JSON[{'type': 'domain','value': '1.alisiosanguera.com.cn'}] | Any | Required |
Action: Get Alert Details
This action retrieves details of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Workbench ID | Enter an alert workbench ID. Example: "WB-14-20190709-00003" | Text | Required | You can retrieve a Workbench ID using Action: List Alert. |
Action: Get Alert Notes
This action retrieves notes of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Workbench ID | Enter an alert workbench ID. Example: "WB-14-20190709-00003" | Text | Required | You can retrieve a Workbench ID using Action: List Alert. |
Action: Get Detailed History Alert
This action retrieves detailed information about alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start Time | Enter the start time in ISO 8601 format (yyyy-mm-ddthh:mm:ss.mmmz in UTC). Example: "2020-06-15t10:00:00.000z" | Text | Required | |
End Time | Enter the end time in ISO 8601 format (yyyy-mm-ddthh:mm:ss.mmmz in UTC). Example: "2020-06-16t10:00:00.000z" | Text | Required | |
Sort | Enter to sort details. | Text | Optional | If you need to display records in descending order, then add a hypeh (-) before a value that needs to be displayed. Allowed values:
|
Investigation Status | Enter the investigation status. Example: 0 | Text | Optional | Allowed Values:
|
Query Time Field | Enter the timestamp between the start time and the end time to be used for retrieving alert data. Example: "updatedtime" | Text | Optional | Allowed values:
Default value: createdtime |
Search by | Enter a value for searching keywords in alert data. Example: "impactscope" | Text | Optional | Use Search by in conjunction with keyword for optimal results. |
Keyword | Enter a keyword in the range of 1 to 300 characters to search from threat data. Example: "document.lnk" | Text | Optional |
|
Starting Position | Enter the starting position (offset) of a record in the dataset. Example: 4 | Integer | Optional | Default value: 0 (zero) indicates the first record |
Limit | Enter the maximum number of records that needs to be displayed per page. Example: 20 | Integer | Optional | Default value: 100 |
Action: Get Download Information for Collected File
This action retrieves a URL and the information required to download a collected file.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action ID | Enter an action ID. Example: "88139521" | Text | Required | You can retrieve an Action ID using Action: Add to Block List. |
Action: Get File Analysis Report
This action retrieves the analysis report, investigation package, or suspicious object list of a submitted file.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter a report ID. | Text | Required | You can retrieve a Report ID using Action: Get File Analysis Status. |
Report Type | Enter a report type that you need to retrieve. Example: "vareport" | Text | Required | Allowed values:
|
Action: Get File Analysis Status
This action retrieves the status of a submitted file.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Task ID | Enter a task ID to retrieve the status of a file. Example: "012e4eac-9bd9-4e89-95db-77e02f75a6f3" | Text | Required | You can retrieve a Task ID using Action: Submit File to Sandbox. |
Action: Get Observed Attack Techniques
This action retrieves the observed attack techniques.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Timestamp | Enter a start timestamp to retrieve the observed attack techniques. Example: "1628159233" | Integer | Required | |
To timestamp | Enter an end timestamp to retrieve the observed attack techniques. Example: "1628159633" | Integer | Required | |
Size | Enter the maximum number of records to retrieve. | Integer | Required | |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed Keys:
For more information on the supported extra parameters, see Search Observed Attack Techniques event list. |
Action: Get Response Task Details
This action retrieves information about a specific response task.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Action ID | Enter an action ID. Exampole: "88139521" | Text | Required | You can retrieve an Action ID using Action: Add to Block List. |
Action: Isolate Endpoint
This action isolates an endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Computer ID | Enter a computer ID that you need to isolate. Example: "cb9c8412-1f64-4fa0-a36b-76bf41a07ede" | Text | Required | You can retrieve a Computer ID using Action: Query Agent Information. |
Product ID | Enter the target product. Example:
| Text | Required | |
Description | Enter a description for isolating an endpoint. | Text | Optional |
Action: List Alerts
This action lists all alerts
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the maximum number of alerts that you need to retrieve. | Integer | Optional | |
Offset | Enter an offset to return data from. | Text | Optional | 0 (zero) indicates the first record. |
Source | Enter the data source. | Text | Optional | By default, data from all applicable sources are retrieved. |
Query Time Field | Enter a query for the time field. Example: querytimefield=createdtime | Text | Optional | |
Sort by | Enter a method to sort by. Example: sortby=-createdtime | Text | Optional | |
Investigation Status | Enter a list of investigation statuses to retrieve alerts. Example: $LIST[0,2] | List | Optional | Allowed values:
|
End time | Enter an end time to retrieve alerts. Example: 2020-06-15t10:00:00.000z | Text | Optional | |
Start time | Enter a start time to retrieve alerts. Example: "2020-06-15t10:00:00.000z" | Text | Optional |
Action: Query Agent Information
This action retrieves the information of agents (computer IDs and user accounts).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Criteria | Enter the object to be added to the exception list. Example: $DICT[{'field': 'hostname','value': 'string'}] | Key Value | Required |
Action: Query Information for Single Endpoint
This action retrieves information from an endpoint that matches the specified computer ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Computer ID | Enter a computer ID. | Text | Required |
Action: Remove from Block List
This action removes a file SHA-1, IP address, domain, or URL object that was added to the user-defined suspicious objects list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Value Type | Enter the block item value type. Example: | Text | Required | Allowed values:
|
Target Value | Enter the target value. Example: "2de5c1125d5f991842727ed8ea8b5fda0ffa249b" | Text | Required | |
Product ID | Enter the target product. Example:
| Text | Optional | |
Description | Enter the action description. | Text | Optional |
Action: Restore Endpoint
This action restores the network connectivity of an endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Computer ID | Enter a computer ID. Example: "cb9c8412-1f64-4fa0-a36b-76bf41a07ede" | Text | Required | |
Product ID | Enter the target product. Example: "sao " | Text | Required | |
Description | Enter a description. | Text | Optional |
Action: Search Data
This action searches data on the Trend Micro app.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Time Stamp | Enter a timestamp to search from. Example: 1628159233 | Integer | Required | |
To Timestamp | Enter a timestamp to search till. Example: 1628159233 | Integer | Required | |
Query | Enter a query to search for. Example: hostname:* | Text | Required | |
Source | Enter a source grouping to search in. Example: "endpointactivitydata" | Text | Required | Allowed values:
|
Fields | Enter a list of fields to return. Example: ["dpt","dst","endpointguid","endpointhostname"] | List | Optional | By default, values from all fields are retrieved. |
Offset | Enter an offset value. | Integer | Optional | Default value: 0 |
Action: Submit File to Sandbox
This action submits a file to the sandbox for analysis.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filename | Enter a file name. | Text | Required | |
File Path | Enter a file path. Example: "/tmp/<GUID>/attachment.pdf`" | Text | Required | |
Document Password | Enter a document password for decrypting the submitted document-type1 sample. | Text | Optional | The value of the document password must be base64-encoded. |
Archive Password | Enter an archive password for decrypting the submitted archive-type1 sample. | Text | Optional | The value of the archive password must be base64-encoded. |
Action: Update Alert Status
This action updates an alert status.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Workbench ID | Enter an alert workbench ID. Example: "wb-14-20190709-00003" | Text | Required | |
Status | Enter an alert status. Example: 1 | Integer | Required | Allowed values:
|
Action: Delete Alert Notes
This action deletes a note from the specified alert. Note that, you may need special permissions to execute this action. For the workbench, enable the modify alert details permissions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Workbench ID | Enter the workbench ID of the alert. Example: wb-14-20190709-00003 | Text | Required | You can retrieve the Workbench ID using the action List Alert. |
Note IDs | Enter the note IDs that you want to delete. Use a comma-separated list to enter multiple IDs. Example: [123,234] | List | Required | You can retrieve the Note ID using the action Get Alert Notes. |
Action: List Response Task
This action retrieves a list of response tasks. Note that, you may need special permissions to execute this action. For Response Management, enable the view, filter, and search (Task List tab) permissions.
Action Input Parameters
This action does not require any input parameter.
Action: Get Details for Multiple Endpoints
This action retrieves information about endpoints that match the specified computer IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Computer IDs | Enter the computer IDs to get the details about the endpoints. | List | Required | You can retrieve the Computer ID using the action Query Agent Information. |
Action: Query Operating System Info
This action retrieves the operating system information for all agents active in the last seven days.
Action Input Parameters
This action does not require any input parameter.
Action: Get Exception List
This action retrieves information about domains, file sha-1 values, IP addresses, or URLs that are in the exception list and displays the information in a paginated list. Note that, you may need special permissions to execute this action. For Suspicious Object Management, enable the view, filter, and search permissions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters to filter the result. Example: limit: 100, type: ip | Key Value | Optional |
|
Action: Download Custom Intelligence Report
This action downloads a custom intelligence report as a STIX bundle. Note that, you may need special permissions to execute this action. For Intelligence Reports, enable the Download STIX Intelligence Report permissions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to download a custom intelligence report. Example: report--2c1091ba-a7d2-46b2-bf97-4137916c30ca | Text | Required | You can retrieve the Report ID using the action Get File Analysis Status. |
Action: Trigger Sweeping Task
This action searches your environment or third-party data sources that support STIX-shifter for threat indicators specified in a custom intelligence report. Note that, you may need special permissions to execute this action. For Intelligence Reports, enable the permissions to start sweeping (STIX-Shifter).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID. Example: report--2c1091ba-a7d2-46b2-bf97-4137916c30ca | Text | Required |
|
Sweep Type | Enter the type of sweeping task. Example: manual | Text | Required | Allowed values:
|
Action: Download Sweeping Task
This action downloads the results of a sweeping task, including matched indicators and associated entities.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the ID of the custom intelligence report. Example: report--2c1091ba-a7d2-46b2-bf97-4137916c30ca | Text | Required |
|
Task ID | Enter the task ID to download. Example: 43597ab5-b8b4-415d-87dc-24c94df82012 | Text | Required |
|
Action: Get Suspicious Object
This action retrieves information about domains, file sha-1 values, IP addresses, or URLs that are in the suspicious object list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Parameters | Enter the query parameters to filter the result. Example: limit: 100, type: ip | Key Value | Optional |
|
Action: Terminate Process
This action terminates a process that is running on an endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Computer ID | Enter the computer ID. Example: cb9c8412-1f64-4fa0-a36b-76bf41a07ede | Text | Required | |
File SHA 1 | Enter the file SHA 1. Example: 12a08b7a3c5a10b64700c0aca1a47941b50a4f8b | Text | Required | |
Product ID | Enter the target product. | Text | Optional | Default: sao |
Description | Enter the action description. | Text | Optional | |
File Name | Enter the filename. Example: samplefile | Text | Optional |
Action: Generic Action
This is a generic action to perform any additional use case that you want on Trend Micro Vision One.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the endpoint to make the request to. Example: 'company_guid/findings' | Text | Required |
|
Method | Enter the HTTP method. Example: GET | Text | Required | Allowed values:
|
Query params | Enter query parameters to filter the result. Example: limit : 10 | Any | Optional |
|
Payload Data | Enter the payload data to pass to the API. Example: 'type': type, 'id': id | Key Value | Optional |
|
Payload JSON | Enter the payload JSON to pass to the API. Example: $JSON[{"sweeptype": ip}] | Any | Optional |
|